Charming Kitten targets nuclear security experts in “unending espionage quest”

Updated on: 06 July 2023

Jurgita Lapienytė
Chief Editor

Charming Kitten Iran threat actor — Shutterstock/Cybernews

The Iran-linked threat actor is going after nuclear and Middle East region experts to conduct cyberespionage campaigns.

Charming Kitten – also referred to as TA453, APT42, Mint Sandstorm, and Yellow Garuda – is a threat actor linked to Iran. It stands out in its attempts to compromise high-value accounts in government, academia, NGOs, national security, and journalism.

Recently, the group has been going after nuclear and Middle East experts in what researchers at cybersecurity company Proofpoint called an “unending espionage quest.” The threat actor apparently impersonates well-known and reputable experts to lure victims into its trap.

In mid-May, a public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs got a seemingly benign email from a senior fellow with the Royal United Services Institute (RUSI).

The victim was asked for feedback on a project called “Iran in the Global Security Context,” and requested permission to send a draft for review. As you might suspect, threat actors are spreading malware functioning as espionage modules though documents such as Microsoft Word with macros.

“As seen in one of TA453’s most recent campaigns, the threat actor-initiated contact with its target using a benign email and later used multi-persona impersonation, listing additional experts to establish rapport with the target,” Proofpoint said.

Charming Kitten email — Initial TA453 approach using a benign email. By Proofpoint

Charming Kitten seemingly benign email — TA453 multi-persona impersonation approach in a follow-on email. By Proofpoint

Proofpoint assesses that Charming Kitten acts in support of the Islamic Revolutionary Guard Corps (IRGC), specifically the IRGC Intelligence Organization (IRGC-IO).

According to experts, the threat actor significantly adapts its infection chain to complicate detection efforts and conduct espionage without interruption.

“The use of Google Scripts, Dropbox, and CleverApps demonstrate that TA453 continues to subscribe to a multi-cloud approach in its efforts to likely minimize disruptions from threat hunters. (...) Regardless of the infection method, TA453 continues to deploy modular backdoors in an effort to collect intelligence from highly targeted individuals,” Proofpoint said.